China Finalises the Measures for Personal Information Protection Compliance Audits

On 14 February 2025, the Cyberspace Administration of China (“CAC”) issued the “Administrative Measures for Personal Information Protection Compliance Audits” (the "Measures"), which will take effect on 1 May 2025. The Measures were introduced more than a year after the publication of the Draft Measures back in August 2023 (the "Draft Measures"). The Measures, issued pursuant to the Personal Information Protection Law (“PIPL”) and the Network Data Security Management Regulations (the “Regulations”) (see our previous Legal Update on PRC Network Data Security Management Regulations), provide more clarity on the requirements and procedures for conducting personal information protection compliance audits (“PI Audits”) under these laws and regulations. The finalised Measures largely retain the key requirements under the Draft Measures but introduce notable relaxations, and offered more flexibility compared to the original proposal.

Background

The current framework under Articles 54 and 64 of PIPL defines two scenarios where personal information processors (“data controllers”) are required to perform a PI Audit. Under the PIPL and the Regulations, data controllers are required to conduct PI Audits regularly ("Regular Audit") by themselves or commission an external professional institution, to ensure compliance with the requirements under Chinese data laws. In situations where the regulator is of the opinion that relatively high risks are involved in the personal information processing activities of a data controller or if the data controller has suffered a data security incident, such data controllers may be required to engage a professional institution to conduct a PI Audit ("Regulator-mandated Audit").

Apart from the high-level framework set out under current laws and regulations, there is little detail available regarding the specific procedures and requirements for conducting PI Audits. The Audit Measures therefore provide the much needed clarity on the specific thresholds, procedures and standards for PI Audits.

New Threshold for PI Audits

Regular Audit

Under the finalised Measures, data controllers that process personal information of more than 10 million individuals are required to conduct a Regular Audit at least once every two years. This threshold has been relaxed compared to the Draft Measures, which proposed that data controllers processing the personal information of more than 1 million individuals shall be required to conduct a PI Audit at least once a year.

Meanwhile, data controllers processing the personal information of fewer than 10 million individuals are given more latitude under the Measures. They can now determine the reasonable frequency of Regular Audits taking into account their own circumstances, including the nature and sensitivity of the personal information processed by them and the potential risks associated with their personal information processing activities. Data controllers can conduct Regular Audits by themselves or through an external professional institution but they should nevertheless consider any other sectoral requirements that may be applicable to them. For example, financial institutions and companies processing personal information of minors are subject to separate audit and/or data security risk assessment requirements under the specific regulations that apply to them.

Regulator-mandated Audit

Under the Measures, regulators may require a data controller to conduct a PI Audit under following circumstances:

1. There are significant risks associated with the personal information processing activities – such as processing activities which may cause serious impact on individuals' rights and interests or processing activities with notable deficiency in security measures;
2. The personal information processing activities may infringe on the rights and interests of a large number of individuals; or
3. The data controller suffers an incident that results in leakage, tampering, loss, or damage of the personal information affecting more than 1 million individuals, or the sensitive personal information of more than 100,000 individuals.

The Measures clarify that the regulators shall not repeatedly require data controllers to conduct Regulator-mandated Audits for the same incident or security risk. Compared to Regular Audits which can be conducted either by the data controllers themselves or by professional institutions, Regulator-mandated Audits can only be conducted by third party professional institutions. A professional institution is prohibited from conducting more than three consecutive PI Audits for the same data controller.

Scope and Procedures of PI Audits

The Measures include an annex "Guidelines for Personal Information Protection Compliance Audits " which provide a list of key aspects to be audited (the "Guidelines") for data controllers and third party professional institutions. The 27 categories included in the list cover different stages of personal information processing, including legal basis for processing, processing of sensitive personal information, data retention, cross border data transfers, responses to data breaches etc.

Appointment of Data Protection Officer (“DPO”)

Under the PIPL, data controllers processing personal information that exceeds the volume specified by CAC shall appoint a DPO. The finalised Measures provide a clear threshold for this mandatory requirement – they clarify that data controllers processing the personal information of more than 1 million individuals shall appoint a DPO, who will be responsible for PI Audits. Furthermore, the Measures stipulate that data controllers which provide significant internet platform service with a large number of users or who conduct businesses of a complex nature, should establish an independent department mainly comprising external members to oversee PI Audits.

Reporting and rectification

Data controllers required to conduct Regulator-mandated Audit shall engage a suitable third party professional institution and complete the audit within a specified timeframe as required by the relevant regulator. After the audit is completed, data controllers shall submit the audit report issued by the professional institution to the relevant regulator. The relevant regulator may direct data controllers to rectify the issues identified during the Regulator-mandated Audit. Such data controllers are required to submit a rectification report to the relevant regulator within 15 working days of completing the rectification required by the regulator.

Conclusion

Although the Measures provide more clarity on the procedures and requirements for conducting PI Audits, some uncertainties remain. For example, under the PIPL, data controllers (including foreign data controllers which are subject to the PIPL extraterritorial application) shall comply with the PI Audits requirements.  However, Article 2 of the Measures specifies that the Measures apply to PI Audits conducted within the PRC. It is therefore not clear to what extent foreign data controllers are also subject to the PI Audit requirements under the Measures.

As the finalised Measures will become effective on 1 May 2025, it is now the time for companies that are subject to the Measures to conduct a comprehensive review of their current personal information processing activities, clearly define the scope and volume of data held by them, formulate their compliance audit policies and establish compliance audit practices within their organisation to be ready by the deadline.

The authors would like to thank Roslie Liu, Intellectual Property Officer at Mayer Brown Hong Kong LLP, for her assistance with this article.